Automating network response directly into VMware is a logical next step. Through this automation, VMware NSX micro segmentation and adaptive security-policy capabilities enable customers to close the gap between detection and mitigation. This dramatically reduces the time to mitigation and attacker dwell time.

Why is this important?

According to the 2017 M-Trends report, the time from initial compromise to when an attack is discovered is 99 days, during which time cybercriminals have free reign to spy, spread and steal key assets in data centers.

This is because data centers lack internal security controls and network visibility. It’s an ideal environment where attackers can go unnoticed for months. Consequently, reducing dwell time is critical to minimizing damage and data loss.

Attackers may initially compromise an employee laptop via a phishing email or social engineering, then establish persistence inside the network by spreading from the initial victim to other hosts or devices.

To control the ongoing threat, attackers will plant backdoors or hidden tunnels to communicate from inside the network, map out the internal network, identify valuable resources, and compromise devices and user credentials along the way.

The most coveted asset is administrator credentials to the data center, which enable attackers to access enterprise data. Administrative protocols also give attackers backdoor access to the data center without having to exploit an application vulnerability.

Using standard administrative tools such as SSH, telnet or RDP, attackers will easily blend in with normal administrative traffic and use their position of trust to access, steal and damage critical assets.

What you don’t see can hurt you

It’s interesting to note that 80% of data center traffic never leaves the data center, which makes it invisible to traditional network security controls. The fact that data center servers are virtualized makes things even worse.

Here’s why. Visibility into the physical network is lost for virtual machine-to-virtual machine communication on the same physical hardware. The traffic between virtual workloads also represents a dangerous blind spot.

The combined outcome of all this is that cyber attackers have too much time to steal and damage key assets in the data center. We need to reduce that window of time as quickly as possible.

Visibility, intelligence and automation are essential to reducing attacker dwell time in the data center. And this should include context about what is happening and the precise, swift actions to take.

How does it work?

The Vectra and VMware partnership aligns artificial intelligence-based threat detection and real-time enforcement down to the virtual machine, and will provide mutual customers with increased visibility and automated threat mitigation orchestrated through Vectra Active Enforcement.

First, with network visibility across the data center, Vectra automates the detection of hidden attack behaviors. Once the threat reaches a configurable threshold, Vectra turns the detection into action by integrating with the VMware NSX adaptive security policy-enforcement framework. The NSX security policy is automatically adjusted to block malicious traffic, modify the security policy or quarantine the compromised host.